We've heard it said so many times before: Because there just isn't enough experienced talent to be had locally, we'll have to find expertise elsewhere. That might work for some jobs, but not every one. If your company processes the private information of European Union citizens and your company meets certain size and revenue thresholds, you likely will have to hire a chief privacy officer (CPO). However, that expertise is not to come by.
Do not be misled — the CPO is not just another position where you give someone a job title and hope they grow into the position. The responsibilities are varied, highly focused, and carry with them some rather unusual job peculiarities. For example, your CPO needs to have an intimate understanding of your company, its operations, the data it needs to its various functions and where that data is stored. Generally speaking, that might be part of the chief operations officer's job function.
However, the position also needs to understand a variety of legal issues as well, such as what data can be moved over borders, what the legal responsibilities are of the business partners that help you manage that data in any country anywhere in the world, and also have the ability to speak in public or perhaps to government agencies around the world. Now perhaps you are looking to your legal team. But do not forget that the CPO also needs a solid understanding of the technological issues involved. And ultimately, this executive will likely report directly to the board of directors, so they need to speak the language of the C-suite rather than just the jargon of a technical department.
So do you look to operations, legal or IT to find your CPO, or perhaps somewhere else? Whoever ends up with the CPO will have a considerable bit of clout in the company. GDPR regulations protect the CPO against retaliation by the company if they determine that an action the company is taking is inappropriate. While the person could be fired for cause, for example, they cannot be fired if the company decides it simply doesn't agree with a given decision.
If, for example, the CPO title is given to the CISO and the CISO reports up through the CIO, there could be potential conflicts. If, for example, the CPO determines that a decision of the CIO violates GDPR, the CIO could not simply fire their subordinate CISO who coincidentally is the CPO. Experts agree many of these apparent conflicts will have to work their way through courts to determine how far companies can and cannot go when the CPO also has other corporate responsibilities.
Another component to the question of who becomes CPO might lie in something as mundane as which department has the budget to hire someone with these particular areas of expertise. North American companies might take a page from European companies that already have a Data Protection Officer (DPO) and try to match the CPO's responsibilities to the DPO's job. Rather than reinventing the wheel, that is likely to be a popular approach for some larger US firms. However, US firms might well be spending a lot of time this year rearranging budgets to meet GDPR requirements.
US laws differ from those in the EU, so the CPO also needs to be aware of US privacy and data security laws and regulations. A lot of US companies have a lot of unstructured data in databases and customer relationship management software that needs to be identified and brought into compliance with GDPR regulations, which will be a mammoth undertaking at some companies. Those companies might lean a little more to the technocrat as the CPO, while companies that have been required to meet some European privacy regulations in the past might already have some of those functions under control, so they might opt more to an operation or legal executive.
So let's get back to the main question at hand: How do you hire a CPO? The answer is it all depends. Here again are some of the key issues to keep in mind:
1. The CPO's job is protected by GDPR regulations, so you do not necessarily want to just slap the title on someone who is not considered a long-term employee
2. The job requires expertise in many different disciplines, including law, technology, privacy and the politics of being a public-facing spokesperson
3. Because of the varied responsibilities, salaries likely will be high so budget becomes a concern
4. The CPO needs to be able to balance US and European laws that sometimes might be in conflict
5. The GDPR regulations define what kinds of companies definitely must have a CPO; if your company isn't specifically required to have that position you might want to get some GDPR experience under your belt before you make a hire.